Personal data for 4 million patients at risk after burglary

Personal information for more than 4 million patients of Advocate Medical Group may be at risk after four computers were stolen in a July 15 burglary of an administrative building in Park Ridge, Advocate said Friday.

The information includes names, addresses, Social Security numbers and dates of birth — but no medical records or personal financial information of patients seen by doctors affiliated with the medical group from the early 1990s through July, said Kelly Jo Golson, senior vice president and chief marketing officer at Downers Grove-based Advocate Health Care.

Advocate on Friday afternoon began sending letters to each of the patients affected, a process that will continue through Sept. 9, Golson said. Advocate is offering a free year of credit monitoring services to those whose information may have been exposed.

Advocate Medical Group is the Chicago area's largest physician group, with more than 1,000 doctors and 200 locations, mostly in Chicagoland and central Illinois. It is part of Advocate Health Care, the area's largest hospital chain, with 12 hospitals. Only patients of the medical group were affected, Golson said.

While the desktop computers were password-protected, they were not encrypted, Golson said.

"Nothing leads us to believe the computers were taken for the information they contain, and there is no information to suggest any of that data has been used in an inappropriate way," Golson said. "We want our patients to know that security is a top priority, and we're focused right now on putting together resources to make sure we can help answer any questions."

Paul Stephens, director of policy and advocacy at the nonprofit Privacy Rights Clearinghouse, an advocate for consumers' privacy rights, called the incident "a very significant breach." The information could be used to open accounts for credit cards or cellphones in the names of those patients, he said.

"Password protection is worthless," said Stephens, who said simply removing a hard drive and attaching it to another device would overcome that obstacle.

Stephens said affected patients may want to place a fraud alert on their credit report, which notifies potential creditors to verify their identity before granting credit. To place an alert, Stephens said consumers need to contact only one of the three major credit reporting agencies: Experian, TransUnion and Equifax. The alerts expire after 90 days but can be renewed.

Any fraudulent activity, he said, could take up to a month to surface on a credit report, but credit inquiries would surface right away. Patients should immediately order a free credit report from all three credit agencies, Stephens said.

The incident occurred in the early morning hours of July 15 at Advocate's 70,000-square-foot administrative offices on West Touhy Avenue. The building was not equipped with an alarm, but it had a security camera and a panic button, Golson said. Advocate has since installed continuous security staffing at the office and is re-evaluating its security systems and practices systemwide.

Advocate informed the Park Ridge Police Department immediately, and Golson said it continues to work with investigators. The computers have not been recovered. Police did not return a call.

Golson said Advocate officials first had to determine the extent of the data potentially exposed before notifying patients, a process that took more than a month.

"There was a large volume of data on the computers, and the format of the data was very complex," Golson said. "We were very comprehensive and thorough in our analysis of the data to ensure we were notifying every patient who may be affected."

The Illinois attorney general's office is looking into the matter but has yet to determine whether it will take any legal action, a spokeswoman said.

Craig Spiezle, executive director of Online Trust Alliance, a nonprofit advocacy group, said companies should have data response plans in place to prevent such lag times. Such plans, he said, ensure that if a breach occurs, a company can act immediately because it knows exactly which data is stored where at all times.

After the extent of the information potentially exposed became clear, Advocate notified the federal Health and Human Services Department and its office of human rights, the Illinois attorney general, some insurance companies, and a handful of elected officials.

Worldwide, 2,644 data breaches were reported in 2012, more than double the 2011 figure, according to the Online Trust Alliance.

This year, at least 10 breaches have been reported in Illinois, including an April hacking incident at Morningstar Document Research that may have compromised certain data for 182,000 customers. Morningstar notified clients in July.

Advocate has set up temporary call centers to handle patient inquiries, as well as a website that went live Friday afternoon, patientnotice.org.

The attorney general's office said consumers whose data may have been compromised should call its identity theft hotline at 866-999-5630.